BGP Prefix Origin AS Validation with RPKI

This topic is to discuss the following lesson:

Hello Dears,

Usually when it comes to RPKI, we just check the online tools such as Routinator as you mentioned to check if the route is valid or not,

Now could you please explain why we need to configure it up in the routers? does it going to help and not advertise those routes when is not valid or not found to the peer routers?

also this shouldn’t be router bgp 12 or it is okay ?

And please why prefix 44.44.44.44/32 is not found route?

Hello Ahmedlmad

The validity of routes is something that is dynamic, and it can change. Checking the validity of routes on an online tool without any additional action is useful, but information can become out of date. For this reason, by configuring the routers to dynamically check upon the validity of the routes allows for them to get real-time updates to information.

If for some reason a route becomes invalid by not passing the RPKI check, then it can reject the route, log the issue and send alerts to any network monitoring service, and determine alternative routes for the same destinations.

As for the typo in the lesson, you are correct, that should indeed be bgp 12. I’ll let Rene know to make the change.

The reason why this prefix is not found is because it has no route origin authorizations (ROAs) in the Routinator server. You are correct however in the fact that this is not explained further in the lesson. I will ask Rene to clarify this point and to consider modifying the lesson to include this information.

I hope this has been helpful!

Laz

1 Like

Hi,

Shouldn’t port 8323 be opened between the router and the Routinator instead of 3323?

Best regards,
Sepideh

Hello Sepideh

Port 3323 is the port used by the RPKI-to-Router protocol (RTR). This is the protocol used to allow BGP routers to communicate with the Routinator server. So for communication between the BGP routers and Routinator, 3323 is the correct TCP port.

The 8323 port is used to connect to the GUI of the Routinator. So from your PC, on a web browser you would include the port number to be used. For example, in this lesson, Rene used: docker1.nwl.ai:8323.

These port numbers are reaffirmed at this related Routinator documentation:
https://routinator.docs.nlnetlabs.nl/en/stable/daemon.html

I hope this has been helpful!

Laz